“You may transfer personal data to countries within the European Economic Area on the same basis as you may transfer it within the UK. However, you may only send it to a country or territory outside the European Economic Area if that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to processing personal data.”
So in the EU we’re all about regulation and compliance protecting the rights of the individual. In the USA things are very different. The attitude to data is more governed by market forces along with the heightened attention on security issues rising out of those attacks 10 years ago. Just six weeks after the attacks “The Patriot Act” was enacted, or to give its full title “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001“. It dramatically reduced restrictions on the various US law enforcement agencies in their ability to search telephone, e-mail communications, medical, financial, and other records including foreign intelligence gathering within the United States. It expands the Secretary of the Treasuryâs authority to regulate financial transactions, particularly those involving foreign individuals and entities and broadened the discretion of law enforcement and immigration authorities. Search warrants can be executed without immediately informing their targets. There has been plenty of debate on the topic, and some would say the law has done more damage than good to the reputation of the United States. There is worry in terms of civil liberties and whether the Act is really good for peace and national security. Sadly back last year some of the powers were extended to June 2015. But what actually happens in practice? A New York Magazine feature last year highlights that the act had been used 1,618 times investigating Drug offences, 122 times for fraud, but only 15 times for the terrorism that it was intended for. The result is that any data stored in the US can be handed over to the US government without so much as a court order or even notice to the owner. But what about US companies operating over here?
“There is already enough confusion over whether UK companies are complying with EC data laws by storing their data on servers in the USA, even with companies who say that they comply with “Safe Harbor”, an unregulated and fairly meaningless cop-out. But does the Patriot Act make Safe Harbor totally redundant? Nobody knows for sure, but it is safe to assume that US authorities won’t be shy in assuming that the Patriot Act overrules any EC law.”
The Safe Harbor John mentions is a framework under which US companies can self-certify that they comply with the obligations under EU data protection regulations. The framework allows for the sharing of data between the EU and self-certified US companies under certain restrictions, such as the promise of reasonable data security and informing the EU of the request for access to the data in question.
John’s fears have been corroborated by two major US corporations. Back in June 2011 at the Office 365 launch, Gordon Frazer, managing director of Microsoft UK, gave the first admission that data stored in their Cloud, regardless of where it is in the world, is not protected from the Patriot Act. In August of 2011 Google also confirmed to Germany’s WirtschaftsWoche that their servers in Europe have no protection from it. That means that some UK and European Cloud companies might spread some FUD (fear uncertainty and doubt) and get a short term advantage over their US competitors. I’ve already heard of one UK government project being shelved 3 months in to development on a well know US PaaS once this issue came to light.
This highlights the need for Cloud providers to be transparent about the supply chain that underpins their service. For my own part, we use Google Apps and we are happy to trust our documents and data to that provider and the potential risk of The Patriot Act, but not everyone will be that comfortable. As a buyer you need to go in with your eyes open and check how and where your data is stored, consider the data protection implications and decide your own position on The Patriot Act. This is a big topic that, up to now, hasn’t got the attention it deserves.
Photo reproduced from Blame It On The Voices.